Virtual TPM

This guide outlines the implementation and configuration requirements for Virtual Trusted Platform Module (vTPM) v2.0 support in Private Cloud Director. The solution leverages open source Barbican service for encryption management. Virtual TPM service enables TPM support on Private Cloud Director hypervisor hosts.

Image Preparation and Configuration

The Virtual TPM configuration is controlled through metadata that can be applied at the virtual machine image level.

When you add TPM metadata to an image, any VM created using the image will automatically enable vTPM with the specified configuration. The metadata parameters control:

• The TPM version (1.2 or 2.0)

• The TPM model type (tpm-tis or tpm-crb)

You can apply these configurations by adding metadata to the image as below:

Image-level Properties

Following is the TPM metadata that you need to associate with a virtual machine image in order to enable vTPM for the VMs created with the image.

hw_tpm_version = 2.0
hw_tpm_model = tpm-crb

For example, you might start with a standard Windows image without TPM support and later add TPM 2.0 support by updating the image metadata. Any new VMs created from this image will have TPM 2.0 enabled, while existing VMs remain unchanged.

VM Deployment and Verification

1. Create a VM with vTPM support through the Private Cloud Director UI

2. Make sure that the VM reaches "Active" state

3. Perform TPM verification:

For Windows VMs

For Linux VMs:

General TPM Verification:

Expected TPM configuration in XML:

Secret Management Verification

Run the following command to make sure that the secrets got created successfully:

Each VM with TPM should have a corresponding secret entry.